Packet sniffer
Encyclopedia
A packet analyzer is a computer program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...

 or a piece of computer hardware
Computer hardware
Personal computer hardware are component devices which are typically installed into or peripheral to a computer case to create a personal computer upon which system software is installed including a firmware interface such as a BIOS and an operating system which supports application software that...

 that can intercept
Intercept
Intercept may refer to:*X-intercept, the point where a line crosses the x-axis*Y-intercept, the point where a line crosses the y-axis*Interception *The Mona Intercept, a 1980 thriller novel by Donald Hamilton...

 and log traffic passing over a digital network
Telecommunications network
A telecommunications network is a collection of terminals, links and nodes which connect together to enable telecommunication between users of the terminals. Networks may use circuit switching or message switching. Each terminal in the network must have a unique address so messages or connections...

 or part of a network. As data stream
Data stream
In telecommunications and computing, a data stream is a sequence of digitally encoded coherent signals used to transmit or receive information that is in the process of being transmitted....

s flow across the network, the sniffer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...

 or other specifications.

Capabilities

On wired broadcast LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...

s, depending on the network structure (hub or switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...

), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g., ARP spoofing
ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...

). For network monitoring
Network monitoring
The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator in case of outages...

 purposes, it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch when systems (computers) are connected to a switch port. To use a network tap
Network tap
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...

 is an even more reliable solution than to use a monitoring port
Port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system...

, since taps are less likely to drop packets during high traffic loads.

On wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...

s, one can capture traffic on a particular channel.

On wired broadcast and wireless LANs, to capture traffic other than unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...

 traffic sent to the machine running the sniffer software, multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...

 traffic sent to a multicast group to which that machine is listening, and broadcast
Broadcasting (networks)
right|250pxIn telecommunication and information theory, broadcasting refers to a method of transferring a message to all recipients simultaneously...

 traffic, the network adapter being used to capture the traffic must be put into promiscuous mode
Promiscuous mode
In computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...

; some sniffers support this, others do not. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set
Service set identifier
A service set is all the devices associated with a local or enterprise IEEE 802.11 wireless local area network .-Service set identifier :...

 for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in monitor mode
Monitor mode
Monitor mode, or RFMON mode, allows a computer with a wireless network interface controller to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an...

.

The captured information is decoded from raw digital form into a human-readable format that permits users of the protocol analyzer to easily review the exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine the root causes of errors, generate timing diagrams, etc.

Some protocol analyzers can also generate traffic and thus act as the reference device; these can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test for the DUT's ability to deal with error conditions.

Protocol Analyzers can also be hardware-based, either in probe format or, as is increasingly more common, combined with a disk array. These devices record packets (or a slice of the packet) to a disk array. This allows historical forensic analysis of packets without the user's having to recreate any fault.

Uses

The versatility of packet sniffers means they can be used to:
  • Analyze network problems
  • Detect network intrusion
    Network intrusion detection system
    A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...

     attempts
  • Detect network misuse by internal and external users
  • Documenting regulatory compliance through logging all perimeter and endpoint traffic
  • Gain information for effecting a network intrusion
  • Isolate exploited systems
  • Monitor WAN bandwidth utilization
  • Monitor network usage (including internal and external users and systems)
  • Monitor data-in-motion
  • Monitor WAN and endpoint security status
  • Gather and report network statistics
  • Filter suspect content from network traffic
  • Serve as primary data source for day-to-day network monitoring and management
  • Spy on other network users and collect sensitive information such as passwords (depending on any content encryption
    Encryption
    In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

     methods that may be in use)
  • Reverse engineer
    Reverse engineering
    Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...

     proprietary protocol
    Proprietary protocol
    In telecommunications, a proprietary protocol is a communications protocol owned by a single organization or individual.-Enforcement:Proprietors may enforce restrictions through patents and by keeping the protocol specification a trade secret...

    s used over the network
  • Debug client/server communications
  • Debug network protocol implementations
  • Verify adds, moves and changes
  • Verify internal control system effectiveness (firewalls, access control, Web filter, Spam filter, proxy)

Notable packet analyzers

  • Capsa
    Capsa
    Capsa is the name for a family of packet analyzer developed by Colasoft for network administrators to monitor, troubleshoot and analysis wired & wireless networks...

  • Cain and Abel
  • dSniff
    DSniff
    Dsniff is a password sniffer written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information....

  • Justniffer
    Justniffer
    Justniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances ....

  • ettercap
    Ettercap (computing)
    Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows...

  • Microsoft Network Monitor
  • ngrep
    Ngrep
    ngrep is a network packet analyzer written by Jordan Ritter. It runs under the command line, and relies upon the pcap library and the GNU regex library....

     Network Grep
  • snoop
    Snoop (software)
    snoop is a very flexible command line packet analyzer included as part of Sun Microsystems' Solaris operating system. Its source code is available via the OpenSolaris project.For command line arguments see the snoop manpage.-See also:...

  • tcpdump
    Tcpdump
    tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...

  • Wireshark
    Wireshark
    Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...

     (formerly known as Ethereal)
  • Carnivore (FBI)
    Carnivore (FBI)
    Carnivore was a system implemented by the Federal Bureau of Investigation that was designed to monitor email and electronic communications. It used a customizable packet sniffer that can monitor all of a target user's Internet traffic...

  • Clarified Analyzer
    Clarified Networks
    Clarified Networks is a company that is headquartered in Oulu, Finland. The company was acquired by Codenomicon in 2011, but continues to operate as a separate company under the Codenomicon Group....

  • Congruity Inspector Software
    Congruity Inspector Software
    Congruity Inspector Software is a continuous packet analyzer-based network monitoring and reporting solution providing on-demand management access into all aspects of on-line activity and internal network operations...

  • Fluke Lanmeter
    Lanmeter
    A LANMeter was a tool for testing token ring and Ethernet networks introduced by Fluke Corporation in 1993. It incorporated hardware testing and active network testing in a handheld, battery operated package. It was discontinued in 2003....

  • NetScout nGenius Infinistream
  • NetScout Sniffer Global Analyzer
  • NetScout Sniffer Portable Professional Analyzer
  • Network Instruments
    Network Instruments
    Network Instruments develops software and hardware solutions for analyzing and managing network and application performance, such as network analyzers. They were founded in 1994, and are headquartered in Minneapolis, Minnesota....

     Observer
  • Niksun
    Niksun
    NIKSUN, Inc. is a privately-held multinational corporation headquartered in Princeton, New Jersey,USA, that delivers real-time, forensics-based cybersecurity and performance solutions. NIKSUN was established in 1997 by Dr. Parag Pruthi...

     NetDetector
  • OPNET Technologies
    OPNET
    OPNET Technologies, Inc. is a software business that provides performance analysis for computer networks and applications.The company was founded in 1986 and went public in 2000. It is headquartered in Bethesda, Maryland and has offices in Cary, North Carolina; Nashua, New Hampshire; Dallas,...

     ACE Analyst
  • SkyGrabber
    SkyGrabber
    SkyGrabber is a software that intercepts satellite data and downloads it.It was used by Iraqi insurgents from the group Kata'ib Hezbollah to intercept MQ-1 Predator drone video feeds....

  • WildPackets OmniPeek
    OmniPeek
    OmniPeek is a packet analyzer software tool from WildPackets Inc.. It is used for network troubleshooting and protocol analysis. It supports a plugin API.- History :...

     (old name AiroPeek, EtherPeek)
  • Fiddler
    Fiddler (software)
    Fiddler is an HTTP debugging proxy server application written by Eric Lawrence of Microsoft. It captures HTTP traffic and logs it for the user to review. It can also be used to "fiddle" with HTTP traffic as it is being sent...


See also

  • Lanmeter
    Lanmeter
    A LANMeter was a tool for testing token ring and Ethernet networks introduced by Fluke Corporation in 1993. It incorporated hardware testing and active network testing in a handheld, battery operated package. It was discontinued in 2003....

  • Logic analyzer
    Logic analyzer
    A logic analyzer is an electronic instrument which displays signals in a digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, assembly language, or correlate assembly with source-level software.Presently, there are three...

  • Network detector
    Network detector
    Network detectors or network discovery software are computer programs that facilitate detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Discovering networks may be done through active as well as passive scanning....

  • Network Security Toolkit
    Network Security Toolkit
    The Network Security Toolkit is a Linux-based Live CD that provides a set of open source computer security and networking tools to perform routine security and networking diagnostic and monitoring tasks. The distribution can be used as a network security analysis, validation and monitoring tool on...

  • Network tap
    Network tap
    A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...

  • Packet generation model
  • Packet capture
    Packet capture
    Packet capture is the act of capturing data packets crossing a computer network. Deep packet capture is the act of capturing, at full network speed, complete network packets crossing a network with a high traffic rate...

  • Bus analyzer
    Bus analyzer
    A bus analyzer is a computer bus analysis tool, often a combination of hardware and software, used during development of hardware or device drivers for a specific bus, for diagnosing bus or device failures, or reverse engineering....


External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK